Account Takeover in tooljet/tooljet

Valid

Reported on

May 19th 2022


Description

Hi I found a way to takeover user's account

Proof of Concept

1.Victim A is a member of a organization orgA

2.Attacker create a new account with orgB

3.Invite victimA to orgB

4.Since an admin can access invitation link attacker copy this link and set new password using this link

5.Now logging with victimA's email with newly created password

POC Link :-

https://youtu.be/krzkXTIy5ww

Impact

This will lead to account takeover of any low privileged user or admin user

We are processing your report and will contact the tooljet team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the tooljet team and are waiting to hear back a month ago
We have sent a follow up to the tooljet team. We will try again in 7 days. a month ago
We have sent a second follow up to the tooljet team. We will try again in 10 days. a month ago
tooljet/tooljet maintainer validated this vulnerability 20 days ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tooljet/tooljet maintainer confirmed that a fix has been merged on fadf02 20 days ago
The fix bounty has been dropped
Distorted_Hacker
20 days ago

Researcher


Hi @admin can you please assign a cve

Thanks

Jamie Slome
20 days ago

Admin


Sorted 👍

to join this conversation